[Unbound-users] Exception for private domains?
Paul Wouters
paul at xelerance.com
Fri Oct 8 14:57:49 UTC 2010
On Fri, 8 Oct 2010, W.C.A. Wijngaards wrote:
> On 10/08/2010 12:43 PM, Stephane Bortzmeyer wrote:
>> At work, we use a private TLD (I did not decide, don't hit me, not my
>> fault, I don't speak for my employer, etc), and a validating Unbound
>> resolver was able to use it with forward-zone.
>>
>> Now that the root is signed and validated, I get a SERVFAIL, probably
>> because the root says NXDOMAIN.
>>
>> Is there any way to tell Unbound to bypass the validation through the
>> root for a given domain?
>
> Yes, I thought this sort of deployment could be an issue. The option:
> domain-insecure: "mytld"
> tells unbound that this is a non-DNSSEC domain. You can have multiple
> such statements in unbound.conf. (joined with trust-anchor statements,
> the longest-match name applies).
Wouldn't it be better to configure a key and forward statement in unbound
for that TLD (just like you would do for a non-tld) so that you can
actually run your TLD with dnssec instead of leaving it insecure?
That is using s stub-zone: with stub-prime:no and stub-addr: ?
Paul
More information about the Unbound-users
mailing list